How To Find Locked Accounts In Active Directory

Active Directory auditing is an important part of ensuring compliance and the security of the IT surroundings. However, a mutual problem that Agile Directory auditors face is how to identify the source of account lockouts. If a user business relationship gets locked out for whatever reason, such as password modifications, may consequence in downtime and it can often be a fourth dimension consuming and frustrating process to get the Advertisement account re-enabled.

Follow the below steps to track locked out accounts and observe the source of Active Directory account lockouts. If you already know the lockout account in question, yous tin can start directly from step v (to rail source).

Pace 1 – Search for the DC having the PDC Emulator Part

The DC (Domain Controller) with the PDC emulator role will capture every business relationship lockout event with an event ID 4740. In case you take only ane DC then you can skip this stride.

Get-AdDomain – Running this cmdlet will search for the domain controller having the role of a PDC emulator.

Step 2 – Expect for the Event ID 4740

Open the issue log viewer of the DC. Go to the security logs, and search for the Event ID 4740.

Step 3 – Put Appropriate Filters in Place

There are suitable filters to generate a more customized report. For instance, you can search for a lockout which occurred in the concluding hour, and find the recent lockout source of a detail user.

Step 4 – Find Out the Locked Out Account Event Whose Information is Require

Click on the "Find" push in the actions pane to look for the User whose account has been locked out.

Step five – Open the Event Report, to Observe the Source of the Locked account

Here you can find the name of the user business relationship in the "Account Name", and the source of the lockout location equally well in the 'Caller Estimator Proper name' field.

How Lepide Active Directory Accountant Troubleshoots Business relationship Lockouts

Lepide Active Directory Accountant (part of Lepide Information Security Platform) generates Account Lockout Report where complete information about the event is displayed in a unmarried row. When you correct-click on whatever event, the context menu will requite you the post-obit options; "Unlock", "Reset Password" and "Investigate".

Unlock Business relationship

Click on this option to unlock the chosen user account. Once done, it shows the following message.

Reset Password

If you desire to reset the users' password, click on the "Reset Countersign" option. Enter the new password and and so ostend it. Select "User must alter countersign at the next logon" pick to force the user to modify the countersign on the next logon.

Investigate

In lodge to investigate how the user account was locked out click on the "Investigate" option in the context carte du jour. Subsequently clicking on the "Investigate" push, "Lockout Investigator" window opens up. In this window, you can click on "Generate Study" button to generate the report to view the reason behind business relationship lockout.